Are hotel key cards a security risk?

A nationally recognized reporter, writer, and consumer advocate, Ed Perkins focuses on how travelers can find the best deals and avoid scams.

He is the author of "Online Travel" (2000) and "Business Travel: When It's Your Money" (2004), the first step-by-step guide specifically written for small business and self-employed professional travelers. He was also the co-author of the annual "Best Travel Deals" series from Consumers Union.

Perkins' advice for business travelers is featured on MyBusinessTravel.com, a website devoted to helping small business and self-employed professional travelers find the best value for their travel dollars.

Perkins was founding editor of Consumer Reports Travel Letter, one of the country's most influential travel publications, from which he retired in 1998. He has also written for Business Traveller magazine (London).

Perkins' travel expertise has led to frequent television appearances, including ABC's "Good Morning America" and "This Week with David Brinkley," "The CBS Evening News with Dan Rather," CNN, and numerous local TV and radio stations.

Before editing Consumer Reports Travel Letter, Perkins spent 25 years in travel research and consulting with assignments ranging from national tourism development strategies to the design of computer-based tourism models.

Born in Evanston, Illinois, Perkins lives in Ashland, Oregon with his wife.

Can crooks use magnetically encoded hotel “key” cards to steal important personal information? That’s a question going around in travel circles these days.

As one concerned frequent traveler asked, “I heard that the newest form of identity theft is through the magnetic-stripe hotel door ‘keys’ that so many hotels use. Supposedly, those cards contain a lot of personal information, including name, address, and credit card number. Is this a real problem, and should I do anything about it?” Short answer: The preponderance of evidence suggests that key-card data theft is nothing more than an urban legend, but some travelers remain unconvinced.

The tests

Several outfits have tested the theory. Earlier this year, for example, the magazine Computerworld had more than 100 key cards tested: some collected by its own staff, some from employees of a professional testing organization. The overall conclusion was that the keys did not pose a security threat. Most of them contained only basic hotel data—name, departure date, and hotel folio number—that wouldn’t compromise anyone’s critical information. The cards that did include more were all encrypted in a way that couldn’t be read by a standard card reader. However, the publication found that a few older systems might not be so safe. Read Computerworld‘s report for full details.

The website TruthOrFiction.com looked into the situation and also labeled it an urban legend. Snopes.com, a website devoted to checking out all sorts of rumors, came to the same conclusion. Ditto the “Urban Legends” component of About.com. Additional sites coming down on the side of urban legend include BreakTheChain.org, Hoax-Slayer, and a bunch of others—if you’re interested, Google “hotel key card information” and you’ll see lots of other reports.

What probably happened

The websites indicated that all those key-card rumors probably originated with a single report, typically attributed to “Southern California law enforcement professionals.” That report was apparently leaked from the Pasadena, California, police department in October 2003, based on an observation of a single obsolete system. The Pasadena police department seemed surprised that a draft report, leaked unofficially, suddenly became a popular national chain message, seen by a large number of consumers. The department subsequently re-examined the question and issued an update, noting that its further investigations had revealed no security risks from the key cards.

Oddly enough, some of the sites that pronounced the rumor to be an urban legend nevertheless suggested travelers destroy their key cards when they check out rather than discarding them or returning them to the hotel desk. That’s like the old joke of the judge’s declaring the defendant innocent, then warning “but don’t to it again.”

Some risks are real

Even though key cards may not contain information useful to identity thieves, anyone who stays in a hotel runs some risks of identity theft, as do any travelers who use their credit cards anywhere else. Sadly, any employee of any organization that accepts credit cards can potentially steal your card data. You hear stories of waiters who have their own card readers and run your card through them as well as the restaurant’s machine. Hotel clerks, retail clerks, and others have similar opportunities to grab your numbers. Your protection lies not in keeping your card numbers secret—as long as you use the card, someone has those numbers—but instead in your personal vigilance and the verification systems used by merchants and banks.

As the final answer to the reader’s question, then, I’d say that hotel key cards probably aren’t a real threat to your personal identity data, and you probably needn’t do anything about them. But if you’re paranoid, destroy your key cards anyway.

SmarterTravel.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. SmarterTravel.com also participates in the SkimLinks and SkimWords affiliate programs.